For over three decades, the internet has revolutionized the way we innovate, communicate and share information. Carving a path of possibilities and opportunities to a digital revolution, where our daily lives, economies and societies have been combined with systems and technology to unlock the Internet of Things (IoT).
With IoT, we now have the foundations to further increase efficiency and safety both in industrial settings and at home. All while providing the chance to leverage data and computing power to unlock even more new discoveries.
The aspiration of a connected future depends on the resilience and security of underlying technologies and systems and whilst significant progress has been made in defending the digital ecosystem, we still have a long way to go. Technology as it stands remains vulnerable to threats enabling bad actors to exploit systems and ultimately, cause disruption.
In this blog, we’ll explore the purpose of the White House’s National Cybersecurity Strategy and the five pillar approach presented in the strategy to forge the pathway to take steps into a digitally-enabled future.
Establishing a Vision to Secure Cyberspace
Early March 2023, the White House released its National Cybersecurity Strategy to ‘establish an affirmative vision for a secure cyberspace that creates opportunities to achieve our collective aspirations.’
The Strategy calls for two fundamental shifts; the rebalancing of responsibility and realignment of incentives to favor long-term investments. In order to drive these shifts, the strategy has been structured in five pillars.
The Five Pillars of the National Cybersecurity Strategy
The National Cybersecurity Strategy is composed of five pillars:
- Defend Critical Infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnership to pursue shared goals
1. Defend Critical Infrastructure
Over the last year, improvements have been made in defending critical infrastructure with standardization but there is still a lack of mandatory requirements – leading to inconsistent outcomes. The Strategy outlines that there should be requirements in order to provide confidence in the services which underpin the economy and everyday lives.
In order to improve defenses, existing legal authorities will be used to set performance-based and cybersecurity requirements for critical infrastructure organizations, and frameworks such as the National Institute of Standards and Technology's (NIST) Cybersecurity Framework, along with others, will be leveraged.
Also included in this pillar is the strengthening of public-private collaboration to improve cybersecurity, promoting better government agency and department integration of cybersecurity, creating more updated federal incident response plans, and modernizing national defenses.
2. Disrupt and Dismantle Threat Actors
The goal of the second pillar is to make malicious actors incapable of escalating cyber-enabled campaigns which threaten US national security.
A plan to develop and update a Department of Defense strategy is articulated in order to clarify how cyberspace operations will proactively defend against actors which pose strategic-level threats to the US. Through the National Cyber Investigative Joint Task Force (NCIJTF), there is an aim to enable continuous coordinated operations.
Within the strategy, ransomware is deemed to be a national security threat, there is a commitment to increasing disruption campaigned. There is also the contemplation of enhancing the collaboration between public-private operations to improve the speed and scale of intelligence sharing and notification to generally combat cybercrime and ransomware threats.
3. Shape Market Forces to Drive Security and Resilience
The third pillar is looking at the shift in responsibility. Specifically those who are best positioned to reduce risk with the goal to have a modern digital economy that promotes security and resilience whilst maintaining innovation and competition.
The Survey states how in product development, there are many vendors who “ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unknown or unvetted provenance". Security-by design principles or pre-release testing should be performed to reduce the risk but often software and IoT makers are not incentivized to do so, as they are able to disclaim liability by contract by leveraging their market position.
The Strategy proposes a shift of responsibility to the software makers to prevent end users bearing the consequences of insecure software. It’s expected that a framework will be created to shield from liability companies who develop and maintain their own products.
Why wait for this to come into force? Secure your products today.
Further outlined in the pillar is the expectation of coordinated vulnerability disclosure to be encouraged across all technologies, the development of a process for identifying and mitigating risk in widely used unsupported software, the continuation to seek improvements in IoT security, and other security incentives.
4. Invest in a Resilient Future
The fourth pillar represents a “resilient and flourishing digital future tomorrow begins with investments made today.”
There is a call for strategic public investments in innovation to be leveraged along with education to drive economically sustainable outcomes which serve in the national interest. This points to existing programs but also with the viewpoint to working with other countries to optimize cybersecurity technologies.
One notable aspect of pillar four, is the plan to strengthen and diversify the cybersecurity workforce. With this in mind, the Director of the Office of National Cybersecurity will lead, develop and implement a National Cyber Workforce and Education Strategy – this will build on existing efforts developed by the National Initiative for Cybersecurity Education (NICE) and others.
Another objective within this part of the strategy is the support to develop a digital identity ecosystem. While digital identity can enable a more innovative, safe and efficient digital economy, there needs to investment in robust, verifiable digital identity solutions to promote security, accessibility and interoperability.
Other plans outlined in the strategy include; a “clean-up” effort in order to mitigate some of the most urgent problems troubling the foundational technologies of the internet, the transition of vulnerable public network systems to quantum-resistant technology, and the acceleration of implementation of technology to provide a clean energy future.
5. Forge International Partnership to Pursue Shared Goals
For decades, there has been work, through international institutions, to define and advance responsible behavior in cyberspace. In the fifth and final pillar, the strategy looks to take this further by building coalitions to counter threats and with this expand and strengthen partnerships.
This pillar also seeks to gain greater visibility by bringing together the public and private sectors and encourages collaboration with organizations such as National Cyber-Forensics and Training Alliance, along with others.
There are complex, global interconnected supply chains that produce information, communications and operational technology products which drive the US economy and with this dependency brings a growing network of international suppliers. There is a need to mitigate the risk but will require long-term, strategic cooperation between public and private sectors (both at home and abroad to bring balance, resiliency and security.
Ambitious Agenda Balanced by Realism
The National Cybersecurity Strategy is a document with some substance to it and presents an ambitious agenda to tackle the mammoth task ahead – but is it realistic? When discussing the method of implementation the administration look to:
- Assess effectiveness with data
- Incorporate lessons learned from cyber incidents
- Investments to be made
There will be a battle ahead for the administration to achieve this ambitious agenda, but with less than two years to deliver a new strategy that calls for both new legislation and regulation, it’s not going to happen overnight or any time soon.
But as an organization, is there something you can do to tighten your cybersecurity defenses now?
Tighten Your Cybersecurity Now with GlobalSign
At GlobalSign, we have over 25 years of trusted experience providing solutions to enable organizations to secure access, networks, and devices. With our range of management, automation and integration solutions, you can deploy Public Key Infrastructure (PKI) technology across your organization quickly and efficiently.
- Digitally sign and secure documents
- Strengthen site security with trusted SSL/TLS
- Secure email with S/MIME
- Control and authenticate access to your networks and resources
- Be compliant with existing regulations such as eIDAS and PSD2
- Automate your certificate management lifecycle